Add Expect CT policy that gets checked on all certs

net/quic/crypto/proof_verifier_chromium.cc

Index: net/quic/crypto/proof_verifier_chromium.cc
diff --git a/net/quic/crypto/proof_verifier_chromium.cc b/net/quic/crypto/proof_verifier_chromium.cc
index e9191a76c2bca2897f96221082428aa03b1f9156..42377eb082303cf64243763b5c858a2e20b3c77d 100644
--- a/net/quic/crypto/proof_verifier_chromium.cc
+++ b/net/quic/crypto/proof_verifier_chromium.cc
@@ -284,14 +284,18 @@ int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
   const CertVerifyResult& cert_verify_result =
       verify_details_->cert_verify_result;
   const CertStatus cert_status = cert_verify_result.cert_status;
-  if (result == OK && policy_enforcer_ &&
-      (cert_verify_result.cert_status & CERT_STATUS_IS_EV)) {
-    if (!policy_enforcer_->DoesConformToCTEVPolicy(
+  if (result == OK && policy_enforcer_) {
+    if (!policy_enforcer_->DoesConformToCertPolicy(
             cert_verify_result.verified_cert.get(),
-            SSLConfigService::GetEVCertsWhitelist().get(),
-            verify_details_->ct_verify_result, net_log_)) {
+            verify_details_->ct_verify_result)) {
       verify_details_->cert_verify_result.cert_status |=
           CERT_STATUS_CT_COMPLIANCE_FAILED;

[Ryan Sleevi, 2016/01/23 02:08:10]

BUG: This changes the meaning of this status, in that it no longer respects the
whitelist (like the code previously did) for EV certificates.

I think the proposed class-level comments to the policy enforcer may explain
what I *think* is the right flow to check for this. Let me know what you think!

+    }
+    if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV) &&
+        !policy_enforcer_->DoesConformToEVPolicy(
+            cert_verify_result.verified_cert.get(),
+            verify_details_->ct_verify_result,
+            SSLConfigService::GetEVCertsWhitelist().get(), net_log_)) {
       verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV;
     }
   }